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ABSTRACT 

Variability modeling, and in particular feature modeling, 
is a central element of model-driven software product line 
architectures. Such architectures often emerge from legacy 
code, but, unfortunately creating feature models from large, 
legacy systems is a long and arduous task. 

We address the problem of automatic synthesis of feature 
models from propositional constraints. We show that this 
problem is NP-hard. We design efficient techniques for syn¬ 
thesis of models from respectively CNF and DNF formulas, 
showing a 10- to 1000-fold performance improvement over 
known techniques for realistic benchmarks. 

Our algorithms are the first known techniques that are 
efficient enough to be applied to dependencies extracted from 
real systems, opening new possibilities of creating reverse en¬ 
gineering and model management tools for variability models. 
We discuss several such scenarios in the paper. 

1. INTRODUCTION 

Variability models are central to development and man¬ 
agement of software product lines (SPL). They comprise 
simple problem space models and usually quite complex so¬ 
lution space models. A problem space model describes ma¬ 
jor decisions made during customization—such as whether 
an Enterprise Resource Planning (ERP) system should in¬ 
clude an e-commerce platform or not. The solution space 
model explains how the problem space decisions affect the 
realization—for example, how the e-commerce platform is 
woven into the implementation, by extending data models, 
user interfaces and services. 

Variability models contain concepts referred to as deci¬ 
sions [36], features [27] or variation points [21], depending on 
the abstraction level. The abstract models tend to contain 
relatively few concepts (up to hundreds in the largest mod¬ 
els 1 ), while the low level concrete models can reach thousands 
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of variation points. These concepts are typically organized 
hierarchically, and related to each other using constraints. 

There exist multiple commercial (Pure Systems GmbH, 
Big Lever Software Inc.) and research [13, 23, 22, 36] tools for 
variability modeling. Recognizing the increasing significance 
of this market segment, The Object Management Group 
(OMG) has initiated [34] a standardization process for the 
Common Variability Language (CVL). 

Feature models [27, 1 ] are one of the prominent notations 
used in variability modeling. Applications of feature model¬ 
ing include automatic generation of product configurators, 
driving code generators [14] and build systems [6] to com¬ 
pose individual members of an SPL, and driving test and 
verification [29, 1 1] . Feature models will also be part of the 
CVL standard [34]. In this paper we use the term feature in 
the abstract unifying sense, meaning either a decision or a 
variation point. This simplification is justified, since we will 
be exploiting the combinatorial structure of features, which 
is similar in the solution space and in the problem space. 

SPLs are typically large software projects, often resulting 
from a long lasting evolution, based on substantial legacy 
code. Industrial SPLs employ models containing thousands 
of features, especially if they mix the problem and the so¬ 
lution space. For instance, the Linux kernel project uses a 
model containing in excess of 5000 features to describe its 
x86 architecture [6]. At the same time, there exist SPLs, 
such as the FreeBSD kernel, that could benefit from having 
feature models, but presently no such models exist for them. 
Communications with Pure Systems indicate that similar 
models and situations are met in the industry. 

Reverse engineering techniques for variability models, would 
ease adoption of product line practices, enabling more smooth 
migration of legacy code to systematic product line architec¬ 
tures and their subsequent evolution. This paper addresses 
the problem of synthesis of feature models, which is the core 
algorithmic part of reverse engineering: to synthesize a fea¬ 
ture model from a given set of dependencies. We construct 
diagrams that contain a hierarchy of groups of binary features 
enriched by cross-hierarchy inclusion/exclusion constraints. 
Our algorithms assume a constraint system expressed in 
propositional logics as input. In practice, these constraints 
can be either specified by engineers, or automatically mined 
from the source code using static analysis [5]. Furthermore, 
effective management of large feature models requires model 
management operations such as merge, compare, diff, and 
project [1], Such operations ease model evolution by allowing 
developers to compare models to assess the impact of model 
edits and build large models by composing smaller ones. The 
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Figure 1: Components of FM synthesis 



Scenario 1. FM synthesis from product configurations— 
late tree hierarchy selection. 


feature model synthesis problem is also at the core of sev¬ 
eral such model operations, which are defined via logical 
operators on formulas derived from the input models [ ]. 

In this paper we formally define the problem of synthesis of 
feature models, discuss its complexity, derive semantic based 
algorithms and argue for their correctness. Technically, we 
synthesize not a feature model, but a feature graph, which 
is a symbolic representation of all possible feature models 
that could be sound results of the synthesis. Then we show 
that any of these models can be efficiently derived from the 
feature graph. Our contributions include: 

• Definition of feature model synthesis as an algorith¬ 
mic problem, an NP-hardness result, and a complexity 
driven analysis of suitable solution techniques. 

• An algorithm for synthesis of feature models from con¬ 
junctive normal form. (CNF) formulas, least 10-times 
faster than previously known algorithms. 

• An efficient algorithm for synthesis of feature models 
from disjunctive normal form (DNF) formulas. 

• An implementation and an evaluation of the above. 

The above techniques produce feature models, but can be 
easily adjusted to other languages, such as the propositional 
part of variability specifications of the current CVL proposal. 
Importantly, the algorithm for synthesis of models from a 
constraint in CNF form, is the first known technique for this 
problem, which can be applied to data extracted from real 
systems. The previous work of the same authors [16] has 
shed light on the mathematical structure of the problem, but 
has failed to provide scalable algorithms. 

2. OVERVIEW AND MOTIVATION 

Feature model synthesis takes as input a formula represent¬ 
ing a set of feature dependencies or product configurations 
and outputs a feature graph (FG) or feature model (FM). We 
separate FM synthesis into two reusable steps (Fig. 1): (a) 
DAG hierarchy recovery—which reconstructs the hierarchy 
of the diagram, possibly with multiple parents for a feature, 
and (b) group and cross-tree constraint (CTC) recovery— 
which identifies feature groups and additional constraints 
that can not be represented by the hierarchy. 

The first step, DAG hierarchy recovery, takes the input 
formula in either CNF or DNF, and produces a DAG that 
contains all possible FM tree hierarchies. 

The second step, identifies all feature groups and CTCs 
given the propositional formula, DAG and an optional tree 
hierarchy. This step outputs a FM or a FG depending on 
whether a tree hierarchy is provided as input or is not. 

These two steps can be used in a variety of scenarios. The 
remainder of this section describes reverse engineering from 
product configurations or code and operations on feature 
models as examples (Fig. 2). The contribution of this paper 
is to provide efficient algorithms for these two steps. 



Scenario 2. Tool-assisted FM reverse engineering— 
early tree hierarchy selection. 



Tree 


Scenario 3. Binary FM merge operation— 
early tree hierarchy selection. 

Figure 2: FM synthesis scenarios 



Figure 3: Abstract workflow for FM synthesis with 
early hierarchy selection 

Scenario 1. This scenario describes the process of synthe¬ 
sizing a FG from a set of product configurations. Here, the 
product configurations are represented as a formula in DNF. 
In this conversion, a product is represented as a conjunc¬ 
tion of positive literals representing features present in the 
product and negative literals representing features absent 
from the product; a set of products is then a disjunction 
of the conjunctions representing the individual products. 
The two synthesis steps are executed consecutively in this 
scenario yielding a feature graph. The final FM is built 
using an interactive FM building tool that uses the FG as 
a guide [26]. This scenario is an example of FM synthesis 
where the FM hierarchy is decided at a later time, after the 
FG is constructed. 

Scenario 2. This scenario describes reverse engineering a FM 
from code. Variability rich software, such as the FreeBSD 
kernel, can benefit from having a FM. The FreeBSD op¬ 
erating system kernel is configured in the build system to 
derive variations of the kernel functionality. Unlike the Linux 
kernel [6], the FreeBSD kernel does not have a FM to make 
configuration of variants easier for users and management of 
variability easier for developers. 

The dependencies among features can be extracted from 
source code using static analysis yielding a formula in CNF. 
This scenario differs from the first by introducing an inter¬ 
mediate step for deriving a tree hierarchy. In this scenario, 



























































































the tree is built by a user supported by a tool using a feature 
similarity measure operating on the DAG [39]. This paper 
describes a concrete realization of this scenario by reverse 
engineering dependencies from build systems [5] and code 
with conditional compilation directives, that is then used to 
reverse engineer an FM for FreeBSD. The work presented 
here allowed for the reverse engineering approach to scale to 
large FMs, with several thousands of features. 

Scenario 3. Our third scenario describes binary operations 
on two FMs [1]. Examples of operations include merging, 
diffing, comparing, and slicing feature models. The two 
input models, FMi and FM 2 are first translated to their 
propositional formulas [3], then an operation is applied to 
merge the two models resulting in a single formula. This 
formula is converted to CNF then inputted into FM synthesis. 
I 11 this scenario, a tree hierarchy is derived automatically 
based on merge heuristics applied to the tree hierarchies of 
the input FMs. Acher’s FM management infrastructure [1] 
implements the operations using our previous BDD-based 
FM synthesis solution [16], which does not scale beyond 
small FMs, with few dozens of features. The algorithms 
presented here can be used to improve the scalability of that 
infrastructure. 

Abstract workflow. In general, some form of additional input 
is required in order to derive a tree hierarchy from the DAG. 
I 11 Scenario 1, the additional input came in the form of 
user decisions supported by an interactive FM building tool. 
Scenario 2, shifts tree hierarchy selection to before the group 
and CTC recovery steps and uses user decisions supported 
by a feature similarity measure to derive a tree. Scenario 
3 uses FM merge heuristics. Scenarios 2 and 3 generalize 
to the workflow in Fig. 3. Since the workflow in Scenario 
1 builds all FMs that can be built from a formula, the 
workflow in Fig. 3 can be seen as a special, easier case that 
prunes alternative hierarchies from the DAG using a given 
tree hierarchy and thus builds only a single FM. Since our 
focus is on efficient algorithms, we will present only the 
computationally harder workflow from Scenario 1 ; the easier 
scenario is easily derivable from the presented one. 

Methodology. We first analyze computational complexity of 
the individual steps in the synthesis of feature models, and 
of variations of the problems for different input representa¬ 
tions. The complexity analysis allows us to decide what the 
promising reductions of the problem are; for example using 
SAT-based techniques for synthesis of or-groups from DNF 
formulae, and not using these techniques for CNF formulae. 
We exploit this in the design of algorithms, which are then 
implemented and evaluated experimentally. 

3. BACKGROUND 

We begin the technical development with basic terminology 
on propositional logics [9]. A clause is a disjunction of literals. 
A term is a conjunction of literals. Syntactically, clauses and 
terms are sets of literals. A clause C subsumes a clause C' 
iff G C C'. A propositional formula is in conjunctive normal 
form (CNF) iff it is a conjunction of clauses; in disjunctive 
normal form (DNF) iff it is a disjunction of terms. 

An implicate D of a propositional formula p is a clause 
such that (i) D is not a tautology and (ii) p —> D is a 
tautology. D is prime iff it is minimal: no literals can be 
removed from it without violating (ii). An implicant C of a 
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Figure 4: An example feature model 
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Figure 5: Concrete syntax of feature diagrams 


propositional formula p is a term such that C is consistent 
and C —^ ip is a tautology. C is a prime if it is minimal. 
A formula p is rooted if it has at least one variable r such 
that for any other variable /: p —>(/—>• r) is valid (in 
other words p A / —> r is valid). We write p[x 1 —>• 1] (resp. 
(ys[a; 1 —0]) meaning a formula created from p by substituting 
all occurrences of variable x by the constant 1 (respectively 
0). We lift this to sets of variables writing p[x Oj^gx- 

We now switch to defining feature diagrams and feature 
models. Our definition largely follows the syntax of FODA [27] . 

Def. 1. A feature diagram is a tuple FD(E, E, (E m , E\, E x ), 
(Go, G x , G m )), where F is a finite set of features, E C F x F 
is a set of directed child-parent edges; E m C E is a set 
of mandatory edges; E-, C F x F is a set of cross-tree im¬ 
plies edges, where E-, (~| E = 0; E x C 2 F and for each 
e £ -E x , |e| =2 , is a set of cross-tree excludes edges; sets G 0 , 
G x , G m contain non-overlapping subsets of E, participating 
in or-groups, xor-group and mutex-groups respectively: each 
member subset in any of G a , G x and G m is disjoint from 
any other subset being a member of these sets. 

The following well-formedness constraints hold in FD: 

i. ( F , E) is a rooted tree connecting all features in F 

ii. All edges in a group share the same parent, so if g £ Gi 
for i £ {o,x,m} and if (/ 1 , / 2 ), (/3, U) £ 9 then f 2 = fi 

Hi. Sets E, Ei, and E x are pairwise disjoint. 

A feature model FM is a pair (FD, p) where FD is a feature 
diagram, and p is a propositional constraint over the features 
of FD -a cross-tree constraint. 

Fig. 4 presents a feature model of a simple family of cell¬ 
phones (inspired by an example available at fm.gsdlab.org). 
The root of the tree, or the root feature, represents the prod¬ 
uct family itself (cellphone). The remaining nodes represent 
mandatory or optional features of the products in the family. 
Display and battery are mandatory subfeatures of the root, 





















Figure 6: Two diagrams (a-b) and a feature graph 
(c), same configuration semantics 

so in the abstract syntax of Def. 1, (display,cellphone) and 
(battery,cellphone) are members of E m , whereas wireless is an 
optional child of root, so (wireless, root) £ E\E m . Children of 
display form an xor-group, meaning that display can be either 
mono (i.e. monochrome) or color, but not both. In terms of 
abstract syntax {(mono, display), (color, display)} £ G x . The 
children of wireless form an or-group, meaning that a cellphone 
with local wireless support should include at least infrared 
or bluetooth communication, and possibly both. Finally, the 
diagram contains an implies edge, (bluetooth, Li-ion) £ E-,, 
meaning that the bluetooth feature is only provided on the 
phone with Li-ion batteries. 

The configuration semantics [FD, ip] describes legal combi¬ 
nations of features in the products described by the model [3]: 

[(F, E,(E m , E u F x ), (Go, G x , G m )), p\ = 

[ A 

(c,p)£EL)Ei ( c,p)£E m (c,p)eE x 

[ A p —r (cr V ■ ■ ■ V c fc )] A (1) 

{(ci,p),...,(c fc ,p)}6GoUG x 

[A A Ci _,c f] A v 

{( ci,p),..,(cfc,p )} i,j=l..k 
eG m uG x i& 

This semantics does not subsume the entire meaning of 
feature diagrams. Different diagrams can have the same con¬ 
figuration semantics (see Fig. 6a-b). Other semantic aspects 
include structural dependencies between features, or concep¬ 
tual proximity of features. Here we focus on the configuration 
semantics as the most central aspect of the models. 

4. GENERIC SYNTHESIS ALGORITHM 

The Problem. Our objective is to take an implicit descrip¬ 
tion of the configuration semantics and synthesize a feature 
diagram out of it. Since FODA feature diagrams, as defined 
above, are not logically complete [37], for every formula p 
there may not exist a diagram D such that [D] = p. Instead, 
we seek a diagram that is weaker than p and, accompanied by 
some cross-tree constraint ip, coincides with tp: [Z3, -0] = tp. 

To enforce creation of interesting diagrams, we require 
that D is maximal, so that its hierarchy is connecting all 
the features, that no more cross-tree edges can be added, 
and that no group definition can be strengthened (no mutex- 
or or-group can become an xor-group). This way as much 
information as possible is represented in the diagram itself, 
without resorting to the cross-tree constraint (otherwise an 
empty diagram D and tp itself is a trivial answer to every 
instance of the problem). 

Def. 2. The feature model synthesis problem (FMS) is 
given a consistent rooted formula tp over a set of features 


F, synthesize a diagram D over F, such that tp —¥ [Z?J 
and D is maximal such, i.e. (i) no element can be added 
to the collections of mandatory edges (Em), implies edges 
(Ei), excludes edges (E x ), and or-, xor-, and mutex- groups 
(Go, G x , Gm) without violating the above implication, (ii) no 
group can be moved from G a U G m to G x without violating 
the above implication. 

Recall that, by Def. 1, the above also implies that the diagram 
D must connect all the features in F. 

Thm. 1. The decision version of FMS is NP-hard. 2 

In practice, the requirement that p is rooted is not a 
limitation. This often follows from the way p was obtained. 
Otherwise, a fresh variable r can always be added to p with 
necessary implications to make it rooted. Consistency of 
p can be checked using a SAT solver. An inconsistency 
normally indicates an error in software dependencies, which 
should be fixed before synthesizing a feature diagram. 

Representing Many Diagrams Symbolically. As shown in 
Fig. 6a-b, there may be more than one solution to an FMS 
instance. The parts (a) and (b) show syntactically different 
diagrams that are equivalent in the sense of formula (1); both 
corresponding to the following input formula: 

p = (net —> drivers) A (dst — t net) A 

A (staging — t drivers) A (drivers —> staging) (2) 

Our algorithm synthesizes a diagrammatic representation 
of all possible feature diagrams that are compatible with 
the input constraints, delegating resolving the tree hierar¬ 
chy to various usage scenarios as described in Sect. 2. This 
diagrammatic representation is known as a feature graph [16]: 

Def. 3. A tuple FG(i ? , E, E x , (G 0 , G x , G m )) is a feature 
graph iff F is a set of features, EGFxF is a set of directed 
child-parent edges; E x C2 F is a set of undirected excludes 
edges, for each e £ _E X , |e| = 2; sets G 0 , G x , G m contain 
subsets of E, participating in or-groups, xor-group and mutex- 
groups respectively. The following constraints hold in FG; 

i. (F,E) is a connected DAG 

ii. All edges in a group share the same parent, so if g£ Gi 
for i £ {o,x,m} and (/i, fi), (/ 3 , U) €g then f 2 =U, 

in. E, E x are disjoint (no implies edge is an exclude edge). 

Fig. 6c shows a feature graph embedding the feature diagrams 
of (a) and (b). Feature graphs do not distinguish features 
with mandatory relationships (here drivers and staging), be¬ 
cause the configuration semantics does not distinguish them. 
This is why in Fig. 6c there is a node labelled with the con¬ 
junction of the two: drivers A staging. Such sets of always 
co-occurring features are sometimes called and-groups. To 
preserve information about and-groups, we use sets of fea¬ 
tures as nodes in the algorithms below (so in practice F in 
the above definition is a power-set, where each node is an 
equivalence class with respect to p). 

A feature graph is essentially a feature diagram in which 
some conditions have been relaxed: sharing is allowed (it is 

2 Theorems are available in the appendix, to be accessed at 
the discretion of referees at http://www.itu.dk/~wasowski/ 
doc-appendix.pdf. The appendix does not extend the paper 
but merely provides evidence for the interested reader. 
























a DAG, not a tree), and feature groups can overlap. Feature 
graphs do not have implication edges as they are part of the 
hierarchy now that sharing is allowed. 

For a given formula a feature graph is potentially not 
unique, but two special cases are unique: the transitively 
reduced graph and the transitively closed graph. In this paper 
we work with transitively closed graphs, like the one in Fig. 6c 
(the child-parent relation E is transitively closed). One can 
extract any maximal feature diagram from a transitively 
closed feature graph FG in polynomial time. This is achieved 
by the following steps: 

1. Find a spanning tree over FG and move all the edges 
not in the spanning tree to cross-tree implications (E\); 

2. Select greedily non-overlapping subsets from G 0 , G x , 
and G m to form syntactically correct groups; 

3. Choose one element from each equivalence class of 
features, and create mandatory edges (E m ) from it to 
all other members of the class; 

4. Remove from E x all edges that participate in selected 
mutex- or xor-groups. 

So the actual algorithmic hardness of synthesizing a max¬ 
imal feature diagram can be addressed by synthesizing a 
feature graph and then applying the above linear time proce¬ 
dure (the latter step is very fast in practice). Using a feature 
graph has one more advantage: since a suitably constructed 
feature graph encompasses all possible solutions to an FMS 
instance, one can optimize against additional (extra-logical) 
objectives to select a useful diagram out of many possible, 
as described in Sect. 2. 

Extracting The Feature Graph. Figure 7 presents the generic 
algorithm for retrieving a feature graph from a propositional 
formula (Fge). It follows the design proposed in [16], ex¬ 
tended with mutex-groups and excludes edges. Our contribu¬ 
tion is to show how Fge can be implemented very efficiently 
for input represented in CNF and DNF. The implementation 
in [16] could not scale beyond couple dozens of features. 

Mendonca [33, 32] has shown that large feature models 
can be analyzed efficiently using a SAT solver. The analysis 
is usually feasible, because even though complex constraints 
are present, the hierarchical tree constraint imposed over 
all features by the diagram, significantly simplifies the task 
of a SAT-solver. This hints that exploring a SAT-based 
algorithms for synthesis may be beneficial. The difficulty 
however, lies in the fact that not all the queries used in 
the algorithm can be directly answered by a SAT solver, 
thus we have to resort to additional techniques. The final 
outcome demonstrates a dramatic performance improvement, 
making the FMS problem practically tractable. Below, we 
briefly summarize the main steps of the generic algorithm, 
while we will address the details of CNF and DNF oriented 
implementations in the upcoming sections. 

Let us walk through the steps of Fge presented in Fig. 7. 
The algorithm takes two parameters: a formula p and its 
root r. We begin by detecting dead features in p (lines 1-2). 
A feature is dead if it is not present in any configuration. 
Fge produces a feature graph containing only live features; 
dead features are either irrelevant, or they manifest errors. 
The binary implication graph G is computed next where live 
features are vertices in G and an edge ( u , v ) exists whenever 
p entails u —> v. See lines 3-4. 


Feature-Graph-Extraction 

(p : formula over F rooted in r, r G F) 

> Find and remove all dead features 

1 0 = {/£F|^Ar^ -■/} 

2 p = p[dh* 0]dezj 

> Compute the implication graph G(V, E) 

3 V = F \ D 

4 E = {(w, v) G V X V | </? A u ^ v} 

> Compute strongly connected components 

5 V' = {S C V | S is a SCC of G} 

> Make edges between SCCs creating a DAG 

6 E' = {(w, v) G V' x V' | u ^ v and 

7 3u'G u,v' G v. ( u',v') G E} 

> Compute the mutex graph M(V,E X ) 

8 E x = {{u, -u} C V f | 3u' G u, v' G v. tp A u' —> -if/} 

> Compute mutex-groups 

9 G m = {{(/i,p),...,(/fc,p)} | {/l, is 

10 a maximal clique in M and V/i. (fi,p) G E'} 

> Compute or-groups 

11 Go = {{(/l,p), - - • ,(/fc,p)} I f[ V • • • V f' k is 

12 a prime implicate of p A p' and 

13 p'ep and V/;. /• S fi A (/i,p) S E '} 

> Compute xor-groups 

14 Gx = {{(/i,p),..., (/ fc ,p)} e Go | Vi # j. (/<,/,) e Ex} 

15 return FG (V',E', E x , (G 0 \ G x , G x , G m \ G x )) 

Figure 7: The generic algorithm, mostly after [If ] 


And-groups—features that always co-occur—are identified 
as the strongly connected components (SCCs) in the impli¬ 
cation graph G. We lift the implication graph to its SCCs: 
vertices V' are sets of co-occurring features (line 5). There is 
an edge (u, v ) in E' between two and-groups iff there exists an 
implication edge between any member of u and any member 
of v in the implication graph G (lines 6-7). The resulting 
graph ( V',E') is a DAG rooted in a vertex containing r. 
Since r is the root feature, every feature co-occurring with r 
is in the same and-group, and if there are two or more roots 
in p, then they would also belong in the same and-group (a 
rooted formula can have more than one root, according to 
the definition given in Sect. 3; r is one of these roots). 

The mutex graph M is an undirected graph where the 
vertices are and-groups. An edge exists between u, v iff p 
entails a mutual exclusion, u —> ->v (line 9). The edges of 
the mutex graph become the excludes edges of the resulting 
feature graph. Mutex-groups are computed by finding all 
maximal cliques [8] in M. A mutex-group is created for each 
clique and common ancestor p (line 8). Or-groups are com¬ 
puted by identifying prime implicates among variables and 
their common ancestor (line 11). Finally, to find xor-groups 
either check for each or-groups if its children are mutually 
exclusive (line 14), or for each mutex-group if disjunction of 
its members is implied by parent (more efficient). 

5. COMPLEXITY DISCUSSION FOR FGE 

Before we move on to describing how Fge can be imple¬ 
mented for CNF and DNF inputs, we want to clarify, which 
are the hard steps in the FGE algorithm. Observe that all 
steps except computing or-groups reduce to establishing en- 


tailinent of binary implications between literals, and it is 
well known that this can be often efficiently done using a 
SAT-solver (at least if the input is a CNF formula [32]). 

It remains to discuss the complexity of the most difficult 
step in the algorithm -the computation of prime implicates 
in lines 11-13. Observe that if 7r is a prime implicate of tp, 
then — >7t is a prime implicant of -h p. So the prime implicate 
problem for CNF is as hard as the prime implicant problem 
for DNF, and, dually, the prime implicant problem with CNF 
is equi-difficult with the prime implicate problem of DNF. 
We now define decision versions of these problems: 

Def. 4. CNF-Shortest-Implicant Problem: given a for¬ 
mula ip in CNF and an integer k, is there an implicant of ip 
that contains k or fewer literals ? 

DNF-Shortest-implicant: given a DNF formula tp and an 
integer k, is there an implicant of ip of at most k literals? 

Thm. 2. The DNF-Shortest-implicant problem is coNP- 
hard, so it is not in NP unless NP = coNP. 

Since NP = coNP is an important and long outstanding open 
problem, it is unlikely that a SAT solver, an efficient solving 
technique for NP-complete problems, can be used as the 
main part of the solution for the problem of finding prime 
inrplicants of a DNF formula, or equivalently computing 
prime implicates of a CNF. Consequently, we will seek other 
techniques for finding or-groups in a CNF formula. 

Thm. 3. CNF-Shortest-Implicant problem is NP-complete. 

Since CNF-shortest-implicant is just as hard as the satisfia¬ 
bility problem, there exists a polynomial reduction between 
SAT and CNF-Shortest-Implicant. Likely finding prime im- 
plicants can be realized by solving SAT, and thus, given 
efficiency of current SAT solvers, it will likely be beneficial to 
use them to find or-groups within a DNF formula (or-groups 
are prime implicates; prime implicates of a DNF formula, 
are prime implicants of its negation, a CNF formula). 

6. SYNTHESIS WITH FGE-CNF 

Even though synthesis of or-groups is harder for CNF 
than for DNF, studying algorithms assuming CNF on input 
remains relevant. As sketched in Sect. 2, applications of Fge- 
CNF include synthesizing feature diagrams from declarative 
constraints specified by engineers and reverse engineering a 
model from existing code artefacts ( Scenario 2). In the latter 
case it is normally natural to generate CNF representation of 
dependencies. Similarly, since semantics of a feature diagram 
is also expressed as a CNF formula (equation (1)) one can 
use Fge-CNF to reason about existing diagrams ( Scenario 
3). CNF clauses can be reinterpreted as implications from 
conjunctions to disjunctions of literals, naturally expressing 
properties like x requires y, or x excludes y. Furthermore, 
clauses are very naturally combined using conjunction. 

Let the version of Fge, assuming CNF input be called 
Fge-CNF. The structure of Fge-CNF is the same as of Fge 
(Fig. 7). We detail how to implement the individual parts of 
the algorithm, assuming that the tp is in CNF. 

Lines 1-2 Dead Features: To detect whether a feature / 
is dead, check if ip A / is consistent. Now tp A / is a CNF 
formula; a single SAT call establishes consistency. Further, a 
positive answer comes with a witness, which proves liveness 


of all variables to which it assigns true, not just /. No further 
SAT calls are made for these. Also, the SAT solver is tuned 
to prefer witnesses with multiple true values, over those with 
many zeroes, to allow learning about many features in one 
call. Still, in the worst-case, detecting dead features performs 
0(\F\) SAT calls. 

Lines 3-f Implications: Detecting binary implications re¬ 
quires proving validity for formulas of the tp A fi —¥ fj kind, 
or, equivalently, checking if p A fi A~>fj is inconsistent. Thus 
one implication edge is detected by one SAT call. Detecting 
all implications requires 0(|Fj 2 ) calls. In practice, again, a 
single witness can be used to disprove all implications be¬ 
tween variables fi and ft, whenever fi is assigned true, and 
fk is assigned false. 

Line 8 Mutual Exclusions: Detecting mutexes resembles 
detecting positive implications and is done by checking if 
tp A fi A fj is inconsistent. Like above, finding all exclusions 
requires a quadratic number of SAT checks on a formula 
which is (essentially) the same size as tp. Again this number 
can be decreased by learning about more than one pair of 
features from a single witness. 

Line 11-13 Or Groups: To identify or-groups we need to find 
prime implicates. We will rely on the following lemma: 

Lemma 1. Let tp be a formula in CNF and C a clause, 
then tp C if and only if there exist a clause C' such that 
C' C C and C' is derivable from tp by resolution. 

See [9] for a proof. The idea is to perform consecutive 
resolutions of clauses of tp discarding subsumed resolvents, 
otherwise adding them to tp and removing clauses that are 
subsumed by them. If the hxpoint is reached with a result 
other than the empty clause, the result is the set of all prime 
implicates of tp. Completeness of this procedure was shown 
by Quine in the fifties, his proof is rephrased in [10, p. 24]. 

We synthesize or-groups using the PlG algorithm [25, 24], 
which orders the resolutions in the above scheme heuristi- 
cally. Proofs for the completeness and soundness of PlG 
are outlined in [24]. However PlG itself is not sufficient. It 
generates all possible resolvents, and it is unlikely that it can 
be optimized to find or-groups efficiently. In our case we are 
only interested in implicants containing features that share 
the same parents in the (E 1 , V') graph, and these features 
should only appear in positive form. Our brief experiments 
show that it is not feasible to generate all implicants and 
then filter out the uninteresting ones. Thus we apply variable 
elimination. For a given parent p, we eliminate from tp all 
features that are not its children, before proceeding to search 
for prime implicates of p in this smaller formula. This leads 
to significant performance gains. 

We use Ver[ ] to eliminate variables. The output of 
Ver(c^, x) is a CNF formula if not containing the variable x, 
but equisatisfiable to tp. It turns out that formulas presented 
by Ver are not only equisatisfiable, but also the set of prime 
implicants of tp over the kept variables is preserved: 

Thm. 4. Let tp be a formula in CNF over the set of vari¬ 
ables X, x € X and let if = Ver(^,x). Let n be a clause 
consisting only of variables in _Y\{a;}. Then n is a prime 
implicate of tp if and only if n is a prime implicate of if. 

Incremental Computation of or-groups. The above way of 
identifying or-groups appears to do a lot of redundant work. 


We first find implicates of p A / for some parent feature /, 
and then seek for implicates of p A f for the next parent 
f. But these two formulas are very similar. Alternatively, 
one can use an algorithm computing the prime implicates of 
p A /, assuming the prime implicates of ip are already known. 

This procedure is strongly inspired by the Piglet algo¬ 
rithm [24], which computes the prime implicates of a formula 
ip A ip, where ip is an arbitrary formula and ip a formula in 
CNF, assuming the prime implicates of ip are known. Let fl^ 
denote the set of prime implicates of the formula ip. Then the 
prime implicates n vA / of ip A / can be computed as follows: 

1. Let II = Add / to II and remove all clauses from 
II subsumed by /. 

2. Let S = {Resolve(-7r, /) | tv £ II v ,~>f £ 7r}. Add the 
clauses in S to II and remove all 7r £ II with -if £ n 
from II as they are subsumed by a clause in S, since 
Resolve (t, /) = 7r\{—■/}. 

This procedure can be used to compute the prime impli¬ 
cates of ip A r A / efficiently. First, compute implicates of 
ip A r and then reuse the results to find implicates of ip A r A / 
for each parent feature /. The resolution steps needed to 
compute the implicates of ip A r are only performed once. 

7. SYNTHESIZING WITH FGE-DNF 

Fge-DNF is a variant of Fge assuming DNF as input. In 
Sect. 2 we have shown that it is applicable to scenarios where 
models are to be synthesized from a list of existing variants 
of a product ( Scenario 1). 

Fge-DNF shares the structure with Fge (Fig. 7). We 
describe the details of the computation for DNF below. We 
assume that the DNF formula only contains satisfiable terms. 
A term is satisfiable if it does not contain a literal and its 
negation. Unsatisfiable terms can be removed in linear time. 

Lines 1-2 Dead Features: A variable / is dead iff it appears 
negated in every term of ip. This can be checked in linear 
time in |i^|. So the step runs in 0(|<p||Fj) time. 

Lines 3~4 Implications: Since ip is in DNF, checking if ip A 
fi — fj is valid can be done by checking if ip A fi A -i fj is 
satisfiable, which takes time linear in \ip\. Check if each term 
contains {~>fi, fj}. Thus the detection of all implications can 
be done in 0 (|</j||.F| 2 ) time. 

Line 8 Mutual Exclusions: Similarly, the satisfiability of 
ip A fi A fj can be computed in linear time. So detection of 
exclusions also takes 0(|</3| |Fj 2 ) time. 

Line 11-13 Or Groups: Recall that synthesizing or-groups 
requires identifying prime implicates of <p and, since ip is in 
DNF, this is equivalent to finding prime implicants of its 
negation. We will use a procedure based on Binary Integer 
Programming (BIP), a special case of Integer Linear Pro¬ 
gramming (ILP) that assumes binary domain for variables, 
to address this problem. BIP is an NP-complete problem [20] 
and thus strongly related to the NP-complete CNF-Shortest- 
Implicant problem (see Section 5). 

We outline a straightforward polynomial reduction from 
finding implicants to BIP [40, 31]. It translates a CNF 
formula, here —up, into a BIP problem P, with the property 
that any optimal solution to P corresponds to a shortest 
implicant of -up. Let L be the set of literals occurring in -up. 


Solve(/ : objective function, S : set of constraints, 
k : upper bound) 

1 while (fc > 0) 

2 S = S U {f(x)< k} 

3 status = SAT(S') 

4 if (status == satisfiable) then k = f(x') — 1 

5 else return k = k + 1 

6 return k 

Figure 8: A SAT-based solver for BIP 

1. For each l £ L introduce a Boolean variable xi. The 
objective is to minimize ^2 leL Xi 

2. For each clause li V • • • V l m in —up add the linear in¬ 
equality X( , + • ■ ■ + xi m > 1 to the set of constraints. 

3. As a literal l and its negation -4 cannot both be true 
in the same assignment of p, a constraint of the form 
xi + x^i < 1 is added to the set of constraints. 

As every feasible solution must satisfy all constraints in the 
BIP, at least one literal in each clause of ip corresponds to a 
variable assigned the value 1 (second constraint). Constraint 
3 ensures that none of these literals are conflicting, i.e. the 
variables xi and x~,i do not both occur with the value 1 in 
a feasible solution. It follows that a conjunction of literals 
corresponding to the set of variables assigned the value 1 
in any feasible solution is an implicant of p. Moreover an 
optimal solution to the BIP corresponds to a prime implicant 
of ip, since the number of literals in the solution is minimal 
and therefore cannot be subsumed by another implicant. 

In [31] two SAT-based algorithms Min_prime and Bsolo 
for finding a shortest implicant by solving the corresponding 
BIP problem are presented. Experimental results comparing 
these algorithms to other BIP/ILP solvers show that SAT- 
based algorithms are preferable when computing minimal 
prime implicants, and that Bsolo tends to be more efficient 
than Min_prime. Despite this conclusion, we have chosen 
to implement the Min_prime algorithm because it can be 
implemented easily on top of any SAT solver that allows BIP 
input. The Min_prime algorithm transforms a CNF formula 
-up into a BIP as described above and subsequently calls the 
subprocedure Solve (Fig. 8). 

The Min_prime algorithm can be extended to incremen¬ 
tally enumerate all prime implicants of -up [19]. Details about 
this extension, called Prime, can be found in [2]. Instead 
of calling Solve just once, Prime calls Solve iteratively. 
In each iteration, a prime implicant h A • • • A Ik is returned 
by Solve. By adding a new constraint sq + • • • + xi k < k 
to the set of constraints, the Prime algorithm ensures that 
the same prime implicant will not be returned again in the 
following iterations. 

Recall that given a formula ip over variables {fi ,..., /„} 
an or-group of a feature f in tp corresponds to a prime 
implicate (/i V • ■ • V fk) of p A / containing only positive 
literals corresponding to children of / in the implication 
graph. By negation of this implication, it follows that an 
or-group corresponds to a prime implicant {~ifi A • ■ ■ A ->fk) of 
ip V -if 3 that contains only negative literals corresponding 

3 Note that -ip V ->f is not in CNF, this can however easily 
be achieved since the operators V and A are distributive. 



to children of /. Thus every prime implicant of interest 
corresponds to an optimal solution of the BIP program, where 
each variable corresponding to a positive literal in -up V - 1 / 
is assigned 0. To avoid the computation of prime implicants 
containing positive literals, we modify the BIP program by 
removing every variable corresponding to a positive literal in 
-1 tpV-if. Furthermore, if a variable in the BIP corresponding 
to a non-child of / in the implication graph is assigned the 
value 1 in a solution, this solution cannot correspond to an 
or-group of /. Consequently, we can also remove all variables 
in the BIP corresponding to non-children of /. 

8. EXPERIMENTAL EVALUATION 

We implemented the algorithm using the core SAT4J li¬ 
brary (http://sat4j.org/). SAT4J is a widely used open-source 
Java interface to SAT solvers that implements the initial Min- 
isat specification [18]. An advantage of SAT4J is the support 
of cardinality constraints, which allows a straightforward 
implementation of the Prime algorithm (cf. Sect. 7). The 
performance of the Pig algorithm is heavily dependent on 
the expense of forward an backward subsumption and we 
have implemented the algorithms presented by Zhang [42]. 

We will now evaluate the efficiency of our techniques. Note 
that quality of the produced models does not need to be 
evaluated, since by design we create a compact representation 
of all possible diagrams consistent with the input. Evaluation 
of quality of the derived models belongs to work on tools 
that help deriving them (see Section 2 for possible scenarios). 

To imitate a realistic usage of the algorithm our evaluation 
used input formulae representing dependencies amongst fea¬ 
tures, which were obtained from feature models translated 
into CNF, DNF and BDDs. We took a subset of models 
available at SPLOT and the feature model repository (splot- 
research.org) and (fm.gsdlab.org) with sizes ranging from 9 
to 287 features. We further generated an additional 20 ran¬ 
dom 3-CNF feature models having 100 or 200 features using 
the Feature Model Generator on the SPLOT website. The 
3-CNF feature models are tougher benchmarks than the real 
models since they tend to induce harder problems [32] . The 
experiments were run using Java 1.6 on a 2.0 GHz Intel Core 
2 Duo processor. We used JavaBDD 1.0b2 for the BDD- 
based implementation. The memory available to the JVM 
was set to to 1.6GB and a timeout was recorded after one 
hour for all models (excluding the Linux kernel, see below) 

Linux is an operating system kernel with an explicit vari¬ 
ability model used to configure features in the kernel prior 
to compilation. In contrast to the other models, here we 
followed the early FM hierarchy selection workflow described 
in Scenario 2. Group and CTC recovery was performed after 
a hierarchy was selected. We used a propositional translation 
of the variability model in the version 2.6.28.6 of the Linux 
kernel [39, 38]. The model, with 5701 features, was too large 
for computing or-groups, however we used an alternative 
method of computing xor-groups that does not rely on or- 
groups as shown in Fig. 7. The alternative method first finds 
the set of mutex-groups and then checks for each of them 
whether at least one group member must be present: 

G' x = {{(/i,p), • ■ ■, (fk,p)} € Gm | tpAp -4- /iV- • -V/ fe } (3) 

Table 1 shows the total running time of the BDD-based 
implementations and of Fge-CNF with non-incremental 
or-group computation. The times are broken down into 
three components: the computation time of the implication 
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DNF-terms 

Model name 

BDD 

SAT-DNF 

67 

6400 

Home-Integration-System 

270 s 

2.9s 

44 

80658 

Thread-Domain 

• 

35 s 


• timeout 


Table 2: Running time of the BDD-based vs the 
SAT-based implementation for DNF input 

graph (ig), mutex graph (mg) and or-groups (or). The total 
time includes the computation of and-groups, mutex-groups, 
and xor-groups. We only show results for models with 43 or 
more features since the two implementations show no notable 
difference for smaller models. 

The computation times for the implication and mutex 
graphs are similar for Fge-BDD. However, the mutex graph 
computation for Fge-CNF takes significantly longer for large 
models—3.5 times longer for the Linux kernel. BDD methods 
are generally slightly faster if they succeed (but we are talking 
about differences in miliseconds). Unfortunately, they run 
out of memory for some cases. For the E-Shop model, the 
Fge-CNF performs better by computing the implication 
graph roughly 6 times faster and the mutex-graph 2 times 
faster than Fge-BDD. On the computation of or-groups, 
the SAT-based implementation is significantly faster than 
the BDD-based implementation for all models. 7 of the 
models did not terminate within an hour (timeout) while 
the other 3 ran out of memory while building the BDD. 
The BDD-based implementation managed to compute or- 
groups for only 2 models, (Documentation-Generation and 
Home-Integration-System) and was roughly 1000 times slower 
than the SAT-based implementation. With the randomly 
generated 3-CNF models, the results are similar where the 
Fge-CNF completed the computation and Fge-BDD timed 
out during the or-group calculation. See the online appendix. 

We also evaluated Fge-DNF, using formulas obtained by 
enumerating all legal configurations for small models (below 
67 features). Fge-DNF was at least 100 times faster than the 
BDD-based results when computing or-groups. See Table 2. 

The main threat to validity in the above experiment lies in 
selection of instances for experiments. Since we are dealing 
with NP-hard problems it is always possible to tune the in¬ 
stances that are favourable for one technique and adversarial 
for the other. We avoid this bias by using realistic examples 
from public repositories and randomly generated models. 

An internal threat is a possible incorrectness of our im¬ 
plementation that could affect performance. To mitigate 
this problem we have tested the algorithms against each 
other, primarily the CNF and the BDD version, but also the 
DNF-CNF-BDD triple for smaller examples. 

9. RELATED WORK 

The present work is described in greater detail in [2]. In [16], 
we show a BDD-based algorithm for synthesis of feature mod¬ 
els from formulae. The algorithms presented here are based 
on SAT solving, resolution and binary integer programming, 
achieving improved performance. Essentially, the procedure 
presented in [ i] was of theoretical interest—it explained how 
to identify semantic traits of feature diagrams in proposi¬ 
tional constraints. The present paper provides an executable 
scalable technique. Scenario 1 scales to medium size models 
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44 
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6 ms 

2 ms 

• 

• 

28 ms 

31 ms 
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945 ms 

46 

Dell-Laptop-Notebook 

13 ms 

11 ms 

• 

• 

24 ms 
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360 s 

58 

GG4 

65 ms 

30 ms 

• 

• 

24 ms 

27 ms 

21s 

21s 

61 
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20 ms 

17 ms 

• 

• 

55 ms 

72 ms 

711 ms 

875 ms 

67 

Home-Integration-System 

16 ms 

3 ms 

270 s 

270 s 

108 ms 

17 ms 

195 ms 

347 ms 

88 

Model-Transformation 

19 ms 

8 ms 

• 

• 

181ms 

264 ms 

342 ms 

858 ms 

94 

BerkleyDB 

o 

o 

o 

o 

103 ms 

153 ms 

438 ms 

1.0s 
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Violet 

o 

o 

o 

o 

125 ms 

866 ms 

2.9 s 

4.0 s 

287 

E-Shop 

19s 

15s 

• 

• 

3.0s 

7.2s 

110s 

120 s 

5701 

Linux kernel 2.6.28.6 
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o 

1.7h 

6.1 h 
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• timeout o out of memory 


Table 1: Performance of the BDD-based and the SAT-based method for input formulas in CNF on real models 


(a few hundred features). Scenario 2 scales to very large 
models of thousands of features (without or-groups). 

As discussed in Sect. 2, the presented synthesis problem 
is an essential subproblem in many usage scenarios. We 
have shown how the algorithm can be used with additional 
information coming from feature name similarity and user 
decisions to reverse engineer FMs from the build system and 
code with conditional compilation [39]. That work targets cre¬ 
ating FMs for systems such as FreeBSD, which have a build 
system exposing several hundred variable features as compile 
options as a flat list. Other reverse engineering scenarios 
may require additional steps, such as feature identification 
and feature location [17], before the feature dependencies can 
be identified and fed into the presented algorithms. Acher [1] 
presents a model management framework for FMs based on 
[16]. His framework would experience a significant perfor¬ 
mance boost if employing our new algorithms. Janota et 
al. [26] propose an interactive tool for building feature models 
from propositional formulas. The tool uses a feature graph 
synthesized using [16] to determine the editing operations 
that create valid feature diagrams. Fge-CNF can be used 
to drastically improve the scalability of that tool. 

Using logics and reasoners to analyze feature models is 
now well established [4]. Some of the steps in Fge, like dead 
feature detection, are known as separate analyses listed in [4]. 

Probabilistic feature models (PFM) extend feature mod¬ 
els with soft constraints, expressing preference among legal 
configurations [15]. In [15] we have presented a method for 
extracting a PFM from a set of configurations using Bayesian 
statistics. Fge-DNF achieves a specialized result where all 
constraints have 100% probability. The group detection meth¬ 
ods in [15] were based on [16], so [15] would considerably 
benefit from the current performance improvement. 

Loesch and Ploedereder [30] extract variability from a sam¬ 
ple set using formal concept analysis. The extracted variabil¬ 
ity is used to construct a concept lattice, exposing and-groups, 
mutually exclusive and dead features. Unlike the feature 
graph constructed by Fge, their lattice does not include 
or-groups. Ryssel et. al. [35] also exploit concept analysis to 
synthesize FMs including or- and xor -groups, from product 
matrices that correspond to our DNF representation. The 
complexity of this problem depends primarily on the number 
of configurations in the input. While we handle models of up 


to 80 thousand products, in up to 35 seconds, they report up 
to 63 products with times from 120s to 3 days. On the other 
hand, their technique synthesizes new abstract concepts (fea¬ 
tures), which do not. It would be interesting to investigate 
whether that technique could enhance our method, without 
significant loss of performance. 

Coudert and Madre give two prime implicant algorithms [12]. 
Other methods for CNF input are found in [28, 2 ]. 

10. CONCLUDING REMARKS 

We have presented algorithms for synthesis of feature mod¬ 
els from propositional constraints by deriving symbolic repre¬ 
sentations of all candidate diagrams, and deriving instances 
from this diagrams. 

We have designed and implemented the algorithms for the 
input expressed as a CNF or DNF formulae. We have shown 
experimentally that both techniques outperform the old BDD 
implementation by a factor of 10 to 1000 times, enabling the 
use of synthesis techniques in tools. The biggest tractable 
model for the BDD technique had 67 features (as opposed to 
287 for Fge-CNF). More importantly, the BDD technique 
was extremely unpredictable failing for many smaller models 
as soon as they exceed 30 features. We also know that Fge- 
CNF scales to up to above 5000 features, if the or-group 
computation is switched off, whereas for the BDD-technique 
it is usually not even possible to build BDD-representations 
for feature model instances exceeding 2000 features [32]. 

Once a diagram FD is derived, one still needs to construct 
a textual cross-tree constraint ip such that the entire feature 
model is equivalent to the input formula ip. Obviously, one 
choice for ip is p itself. However, normally we would like 
to simplify the formula, seeking a (syntactically) minimal 
ip such that [FD] Aip = <p. Unfortunately, finding minimal 
representations is difficult. Another possibility is to use an 
almost optimal approach such as the Espresso-II [7], known 
to efficiently produce close-to-minimal representations in 
practice. The efficiency of Espresso-II for our particular 
problem still needs to be investigated. 
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